HECVAT Category

Vulnerability Management

Vulnerability Management covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.

Assessment Questions

VULN-01

Are your systems and applications scanned with an authenticated user account for vulnerabilities (that are remediated) prior to new releases?

Pre-release vulnerability testing is what's being verified: whether you scan systems and applications using an authenticated account and remediate findings before shipping new releases.

VULN-02

Will you provide results of application and system vulnerability scans to the institution?

Transparency around scanning is the issue: the institution wants to know whether you will share the results of your application and system vulnerability scans with them.

VULN-03

Will you allow the institution to perform its own vulnerability testing and/or scanning of your systems and/or application, provided that testing is performed at a mutually agreed upon time and date?

Customer-led testing is what's being asked about: whether you will let the institution run its own vulnerability scans against your systems at a mutually agreed time.

VULN-04

Have your systems and applications had a third-party security assessment completed in the last year?

Independent validation is what reviewers are after, namely whether your systems and applications underwent a third-party security assessment within the past year. A third-party security assessment is when an external company or consultant (not affiliated with your organization) conducts a comprehensive review of your IT environment to identify security vulnerabilities, weaknesses, or compliance gaps.

VULN-05

Do you regularly scan for common web application security vulnerabilities (e.g., SQL injection, XSS, XSRF, etc.)?

Web application scanning is the subject of this item, specifically whether you routinely scan for common flaws such as SQL injection, XSS, and XSRF. These vulnerabilities include:

VULN-06

Are your systems and applications regularly scanned externally for vulnerabilities?

External vulnerability scanning is the subject of this question, which asks whether your systems and applications are regularly scanned from outside your network. External vulnerability scanning involves using automated tools to examine your internet-facing assets (websites, servers, cloud resources, etc.) from outside your network to identify security weaknesses that could be exploited by attackers.

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron